ACZoom

Thanks to an email from Paul Eden <paul@benchline.org>, I think I have finally resolved this issue.

Also related to the forum posting titled FC4.

The next release of blockhosts (1.0.2) will contain updated rules with SSHD-Invalid and SSHD-NotAllowed as part of the default rules, in addition to the current SSHD-Fail.

Here's what I think the full story is:
sshd will always put out the message "Invalid user..." in case of failed login attempt, from a non-root user.
In addition, if PasswordAuthentication = yes in the sshd_config file, and it was a failed password attempt, the log will have the "Failed password" line, in addition to the "Invalid user" line.

Still, it is not always sufficient to just look for just the "Invalid user" lines to count failed attempts - in case of failed root attempts, sshd only prints a "Failed password" line, if PasswordAuthentication is set to yes.

To handle all this, version 1.0.2 now uses the process-id of the failed sshd attempts, to make sure each attempt is counted only once even if multiple lines are matched for same process-id. This will prevent double counting, and should fix the issue for both values of PasswordAuthentication.

So, release 1.0.2 onwards, will have the SSHD-Invalid and SSHD-NotAllowed rules enabled, as well as SSHD-Fail.